Closed okitry closed 11 months ago
Could you please confirm the output of /wp-json/wp/v2/users/?per_page=100&page=1
?
When I do so, with a user on my site with username j@m3s
, WordPress itself tells me that the username is jm3s
, even though to log in I do need the @
character.
By default WordPress doesn't allow @
characters in usernames, so I had to manually edit the username in the DB in order to reproduce this. That said, it doesn't appear to be an issue with WPScan, but rather an issue with the way WP handles usernames with illegal characters in them.
Closing this as I believe it's an issue with WP, not WPScan, but feel free to reopen if I've misunderstood!
I was doing some research on one CTF today and found that the parser had collected login data incorrectly:
[i] User(s) Identified: [+] jm3s
When I went manually to blog/?author=1 I saw "Author: j@m3s"
Then I tested on the wp-login.php login: jm3s - ERROR: Invalid username. j@m3s - ERROR: The password you entered for the username j@m3s is incorrect.
for some reason the parser truncated the "@" symbol
Your environment